Tag Archives: rsac

Organizations being hacked is not always the result of superior adversary, but more often than not (I think the figure is closer to 85% defender mistakes vs. 15% “very skilled) the result of poor defenses. The recent Russian hacking highlights against the White House website (note that GAO rated MOST Federal agencies as failing w/ regards to their information security postures) was noted as skilled, because they used yet known vulnerabilities. This is a generous leap in conclusion.

Their sophistication is not a factor here, but they have budget to buy such vulnerabilities off the open market. These are easily available and a successful attack could be orchestrated with less than $10k. According to public sources, the very expensive vulnerabilities cost around $100k. Easily within the reach of any financed attack group.

As we enter the week of RSA, and likely a slew of discoveries that are released this week let’s be pragmatic on their impacts and the defenders role.

They’ve determined that APT28, a politically-motivated Russian hacking group, used unpatched exploits in Flash Player and Windows in a series of assaults against a “specific foreign government organization” on April 13th. Patches for both flaws are either ready or on the way, but the vulnerabilities reinforce beliefs that APT28 is very skilled — less experienced groups would use off-the-shelf code.

So, after writing for clients and my research being all consuming this past year I am re-focusing time in my day to share observations and thoughts. Why? Quite simply I learn more when I write; share, and get feedback then living in an echo chamber. How will this benefit the world/you.. simple, you will share in the knowledge I gain from sweat and toil and learn through the same iteration cycle as I. I also will begin focusing my posts on my dedicated portal for such topics and (attempt) to limit my writings here to on-topic. I hope you will continue to join me on the new(er) site and the other media platforms.

Also, I am trying to aim for a high iteration format instead of the long form of old. Meaning, shorter (I hope) posts that are succinct on ideas without the typical pre/post writings that are common in most write-ups. My ask, please share, challenge, and seek to understand my perspective – as I will do for you.

Onward then …

Today is RSA day and 2 themes that are evident and of most importance based on several large client discussions; analyst discussions; and a few researchers I had the privilelege of speaking with today:

Communicating the WHY is of paramount importance today (WHY are we spending security budgets on X assets? WHY are our practices for managing enablement between development, operations, and security out of sync? Etc..)

Passive Resistance (my phrase, but after a day of hearing about NSA, RSA, Crypto architects disowning responsibility for operational deployment, and “enable” privacy, security this is where I landed) is the idea of persons and organizations being asked to respond to these threats in a manner that impings their capabilities. There are many problems with this stated position, but I shall leave that for another day and your own pondering

Businesses must address #1 and be extremely cautious with #2, and #2 will be a heavy discussion during my RSA session on Thursday for all that are present. If you are unable to attend, I will as usual post my work and research in note form online. Looking forward to learning and expanding my thinking with you.

Today kicked off, for me, the RSA conference. The best part of these types of events is the onslaught of ideas shared between peers – generally through networking and random encounters in hallways (such as bumping into Bill Brenner). Thanks first off to RSA for creating the forum for these discussions to occur.

I have the privilege of speaking tomorrow, and look forward to the debate and flow of ideas that will ensue.
While reviewing some of the research provided to attendees, I had the following observations, and wanted to share them in entirety for debate and expansion:

#rsac Art’s presentation was good. Agree with Taleb perspective, but it must applied at Org to match robustness #infosec

Art Coviello gave an impassioned presentation that I thought was very good for a keynote at that level. Typically there is a risk of sales (which did occur at the end, of course) material, but a couple good analogies and mental positioning. I thought his analogy to Nassim Taleb’s AntiFragile was on point (and funny since I am 1/3 through it, so very fresh in the mind) for the security operations against the cyber threats. I would expand it though to include the business process and information security compliance program. I have found that the block and tackle of information security itself needs to be robust and antifragile. The lacking of these elements forfeits the benefits of the threat intelligence he describes.

This is especially poignant to me given the relative lack of volatility in the type of attacks that succeed against organizations, and their ongoing effectiveness in breaching our company defenses.

If you are looking to enjoy the keynotes (I would recommend at least Art and Scott Charney) live or on-demand here.

The advent of user created, managed and handled passwords as the sole means of authenticating is coming to an end. The utility of these was defined in an era based on assumptions of brute force capability, system computing power and pro-active security teams. – After much debate and analysis … there is the thesis

This topic came up for me last year as I was working through some large amorphous business processes. The question of credentials was raised, and we challenged it. This is interesting as we had some pretty serious brains in the room from the house of auditing, security, risk, and business leaders. I am sharing my thoughts here to seek input and additional alternate perspectives – seeking more ‘serious brains’.

I will update as feedback comes in … this and other posts will serve as workspaces to share the analysis and perspectives to consider. I am breaking this topic across different posts to allow for edits and pointed (critical perhaps) feedback on a topic basis. This is LIVE research, so understand impressions today may change tomorrow based on information and insight. Looking forward to collaborating, and with that … lets jump right in!

————————————————————————

Passwords are designed to restrict access by establishing confirmation that the entity accessing the system is in-fact authorized. This is achieved by authenticating that user. Passwords / pass phrases have been the ready steady tool. The challenges to this once golden child cross the entire sphere, and I’ll be seeking your collaboration through the journey up to my RSA presentation in SFO at the end of February 2013!

False premise three – Password control objectives are disassociated from the origination and intent

FALSE PREMISE ONE: (Updated Jan.31.2013)

Passwords are great because they are difficult to break?

The idea here is that users are trained (continuously) to use complex, difficult, long, and unique passwords. The concept was that these attributes made it difficult for a password to be broken.

Lets explore what that meant… When a password was X characters long using Y variety of symbols it would take a computer Z time to break it. Pretty straight forward. (This example drawn is for a password hash that is being brute force attacked offline) This analogy and logic is also true with encryption, but it is based on poor premise:

Password cracking CPU cycles for a single machine are far more powerful than yesteryear, AND if we focus ONLY only on computing power, well the use of Cloud Armies to attack represent the new advantage for the cracking team

Password cracking by comparison pretty much made the CPU argument (and length of time to hack) moot. There exists databases FULL of every single password hash (for each type of encryption / hash approach) that can be compared against recovered passwords – think 2 excel tables .. search for hash in column A and find real world password in column B.

Interesting selective supporting facts:

A $3000 computer running appropriate algorithms can make 33 billion password guesses every second with a tool such as whitepixel

A researcher from Carnegie Mellon developed an algorithm designed for cracking long passwords that are made up of combined set of words in a phrase (a common best practice advice) – “Rao’s algorithm makes guesses by combining words and phrases from password-cracking databases into grammatically correct phrases.” This is research is being presented in San Antonio at the “Conference on Data and Application Security & Privacy” – New Scientist

This week has been a blitz of sessions, one-on-one deep discussions, and random swarms of passionate people descending on any table to discuss all things information security. The sessions were good, the products somewhat interesting, and the networking was fantastic. I did my best to tweet as much as I could from sessions throughout the conference, but there is a theme I saw and wanted to share for debate and consumption.

The risks are severe and quite frankly the offensive capability of attackers (individuals, attack teams like Anonymous, and nation state sponsored groups) is excellent. Organizations are suffering from exfiltrated data at an alarming scale, and lack of maturity in managing these threats is ad-hoc.

A single vendor this would come across as F.U.D., but this was expressed by the Director of the NSA, and at nearly every session and keynote.

So what does this mean? Well, much like at RSA there is a need to translate and form an opinion, or lovingly called the ‘Apply Slide’. Below are the points that resonated for me – in no particular priority order:

There is a need for a more meaningful appreciation of what is valuable to every organization. This discussion needs to happen with the management, legal, risk management, internal audit, and technology leadership. A primary effort of bringing these individuals together is to ascertain what is valuable and what forms may it exist throughout the business.

A sophisticated incident handling process is needed. This is a topic highlighted by the likes of Google and Signal Intelligence experts. The point though was lost I feel to the majority of attendees. The need is not simply to have trained team members with tools to be activated in the case of a breach. That is needed, but there is a much deeper need:

The maturing and sustaining of a firmwide global effort to respond to every infection / malware-instance / behavioral anomaly. Here is the thesis: Today most of these are addressed through a help desk function that follows a decade old process of risk identification and remediation. The common response is to update patches and have the behavior cease (removal of the error is considered a “fix”). It is widely accepted that the attackers and infection tools are highly sophisticated, and removal is not a linear path nor a guarantee of a “clean” system. In addition the statistics reinforce this fact when we look at the effectiveness of the anti-virus tools, the amount of malware that is unique and unknown, and the percentage of exfiltration events that occur resulting from this code. Finally, there is a stigma to ‘activating an incident response’ team in many organizations. Together these create an atmosphere where keyloggers / botnets / stuxnet / and similar malware toolsets can infect, avoid destruction, increase infiltration, and have intelligent exfiltration of desired data.

Cloud was a very popular topic all week, and despite professional annoyance of the media focusing on a single aspect of information technology one simple fact remains true. These sessions were packed. The information provided was not clear and visibility remains beyond immediate grasp. So – my response here is … these sessions were packed and the term is everywhere, because we do not have this at a state of understanding. I foresee this will be a long and great area to continue developing.

This week is the RSA Conference in San Francisco and despite itself being a huge conference with great people in attendance, there is also numerous other satellite conferences happening (BSidesSF and Cloud Summit). All that brain power is bound to generate some discussion and research reports generally are released during this PR window. So, here is a few items that (new and old) jumped out to me getting much discussion and would be valuable to restate. As always, I will be punching up my notes to share as things that are meaningful are presented.

True Cost of Compliance put forward by Ponemon Institute and TripWire (released January 2011) – right off the top states that the average non-compliance costs are more than $5 million dollars than the cost to comply. Here is the link to the report – no registration required, very nice. Also interested what that cover graphic is hiding…

Plenty of great streams of information flowing from the conference on twitter – set search filters to: #RSAC #RSA and of course, if you like a specific area (NIST, ISO, Cloud) hit those tags up too… This week is going to produce enough reading for a few flights across the pond for us all!

A new survey was released today from Thomson Reuters and Complinet based on 337 global practitioners within the Financial Services sector. The survey focused on GRC and how organizations are focused on addressing the risks this year compared to prior years. While this is principally focused on the Financial aspects of Risk management, Fraud, and legal aspects there are some interesting takeaways.

The first that 71% of the professionals expect a need of greater resources and time to address an expected 83% increase in regulation and regulatory compliance requirements. The link, requires registration, not my favorite. It does provide the survey report – a short 4 pages, and the prior years at 6 pages. Not very deep, but some interesting points – the reports may be garnered from this link.

One aspect that was interesting was how little Internal Audit is brought into these conversations on dealing with the business risk. It is in direct opposite of what one would consider appropriate – and one I find consistent with the Information Security teams. The lesson here, engage Internal Audit .. no need to re-invent risk management techniques (btw: I feel the same way of risk management within I.A. when compared against the insurance industry).